Yeah, that works too. I forgot to add that in my configuration, we have a
piece of software running on the LDAP replicas (lbcd) that determines
whether or not the replica is in the load balanced pool. We kill the lbcd
process and let it sit for 5 minutes, which will make sure it is out of the
pool for short-lived clients, and then we shut down the server. ;)

We can't use hardware load balancing with the replicas because we use
SASL/GSSAPI for everything, and there are some interesting problems there
when it comes to replication.

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin